Created attachment 64708 [details] Repro The following repro causes a NULL pointer crash in latest Chromium: <body onload=" document.designMode='on'; document.execCommand('selectall'); document.execCommand('InsertLineBreak'); document.open(); document.execCommand('Undo'); document.execCommand('InsertHTML', false, 'x'); "> id: WebCore::createFragmentFromMarkup ReadAV@NULL (0aeb58d38090b34986cfab3dd85965ec) description: Attempt to read from NULL pointer in WebCore::createFragmentFromMarkup stack: WebCore::createFragmentFromMarkup WebCore::executeInsertHTML WebCore::Editor::Command::execute WebCore::Document::execCommand WebCore::DocumentInternal::execCommandCallback v8::internal::HandleApiCallHelper<...> v8::internal::Builtin_HandleApiCall v8::internal::Invoke v8::internal::Execution::Call ...
I suspect this is related to the document.close() bug. :)
The document.close() bug is bug 43055.
Yeah, it looks identical. Want to add this test case to your 43055 patch and then mark this as a dup?
This no longer crashes latest Chromium and the suspected duplicate was fixed, marking as fixed.